What is Pegasus Spyware? How to Prevent? NSO: Presently, government-supported cyber-reconnaissance is in the news again following an uncover in the UK’s Guardian newspaper discussing a piece of malware called Pegasus.
New leaks have emerged that reveal how advanced spyware being sold to governments is apparently used by dictatorial regimes to target journalists and activists. These are actually really quite shocking developments if you care about your privacy and security in the slightest. It’s a complex topic, but I’ve done my best to distill it.
This spyware can turn phones into fully-fledged surveillance devices that can record audio, record video, look at photos, look at the messages they’ve got, and so on.
Then I want to look at What is Pegasus Spyware? How does it work? How does it infect phones? And what can you do to protect yourself? Well. If you want to find out more, please let me explain.
What is NSO Group?
The Israeli company NSO group – a billion-dollar corporation that Wikipedia quite fittingly describes as a cyber arms firm is at the center of the drama – they make spyware. As of 2020, they’ve got more than 500 employees working day in and day out trying to hack these things: mobile phones.
NSO focuses almost exclusively on trying to find vulnerabilities in iOS and Android devices. Simply because our phones are the perfect surveillance tools, they have a microphone camera, they know where we are and what we’re doing – at all times, and they have access to both our communication in real-time and logs of past messages.
What is Pegasus Spyware?
Pegasus is a Spyware. It invades your smartphone or some other gadget utilizing a vector. Pegasus Spyware is a software product created by an Israeli security organization called NSO. This Company (NSO) has done numerous things. But, it’s pegasus that has kind of been at the center of attention for as long as the last couple of years.
Not only this, but the spyware NSO develops is incredibly advanced – “zero-click” attack vectors are NSO’s specialty. Their spyware can infect your phone simply by sending you a text. Protecting yourself from this malware isn’t a case of don’t open suspicious emails or clicking dodgy links.
What is a Vector?
The vector is the thing that conveys the spyware inside the phone. So It could be via messaging, it very well may be WhatsApp, it very well may be through mail.
It injects itself onto the phone and starts radiating out your information or what you are doing. Your internet browser, your activity, the whole of that to the attacker.
What is Spyware?
A lot of bad things go by the title spyware. Spyware software is installed on a computing device without the end user’s knowledge or authorization. It has the potential to violate user privacy and abuse user accounts and devices.
Spyware can be difficult to detect on a computer device. Often, the first indication of spyware infection is a noticeable performance reduction, whether that be with the processor, network, or battery life.
Spyware describes an entire category of malicious software, including adware, which is often bundled in with free software and utilities downloaded from the internet or installed when the user visits an infected website;
Keyboard loggers: these are often used by cybercriminals to track keystrokes and steal personal information, logging credentials, and sensitive enterprise data;
Trojans: which are disguised as legitimate emails and downloads that can delete data, encrypt files for ransom, or allow others to take over an infected device;
Mobile spyware: This can use the phone’s camera and microphone to spy on nearby activity, record phone calls, and track location.
Who Are Targeting By Pegasus Spyware?
Pegasus is likely the most refined piece of malware that we think about at this time. An Israeli company makes it called the NSO group. And they just offer it to governments. The thought is intended to be utilized in a battle against terrorism warfare.
Well, the new leaks confirm Pegasus is often sold to countries of dubious moral standing. This is where the problems begin. NSO claims this spyware is sold to governments on the proviso. It should only be used to fight crime and terrorism. Their website homepage bears the phrase “cyber intelligence for global security and stability” – let me tell you why that’s a little ironic.
The recent investigation coordinated by Forbidden Stories with technical support of Amnesty International‘s Security Lab details how, according to them, 50 thousand phone numbers were potentially targeted using the Pegasus spyware.
These include heads of state, activists, and journalists, including Jamal Khashoggi’s family. If you’re not familiar with Jamal Khashoggi, he was an Arabian journalist who often said things the Saudis didn’t quite like. Following this, he was assassinated in Istanbul and quite literally cut up into little pieces by Saudi Operatives.
All the while, Pegasus spyware was allegedly being used to spy on his family – the allegation is that NSO’s Pegasus spyware aided in executing his assassination – a claim NSO flatly denies. Countries that have been uncovered to have had contracts with NSO to use Pegasus include Saudi Arabia (surprise, surprise), Bahrain, Azerbaijan, the UAE, among others.
This list of countries looks small until you realize these are only the ones we know about – NSO sells to a total of 40 unnamed countries. One common vector of “zero-click” exploits that Pegasus uses to propagate itself is via iMessage.
Now, I need to look at how Pegasus works and what it does.
How Does Pegasus Spyware Get Installed In Your Phone?
The earliest versions of Pegasus have been seen since 2016-2017. so we knew about its existence. However, it’s becoming more and more powerful, more and more capable.
Before Pegasus was there for a long while, we started seeing it around 2016 or 2017. It used to be precise fishing methods. You receive a link, and I’m sure that many of you have seen dubious links on your WhatsApp or in your mail on email.
Indeed, even real-time chat is like on a Facebook messenger. You would see a message that doesn’t look good. Many people will not click on it. However, many people click on it. And that is the way it gets installed.
But, What has occurred with this most recent series of stories being done on Pegasus is that it’s become known that Pegasus doesn’t use these fishing methods anymore. It utilizes something called zero-click vulnerability.
This implies that it can inject itself onto a phone without the client really initiating any activity or simply making a mistake. So that isn’t required.
Suppose. You received an email that has this spyware or the malware in it. And you have a customer on your phone, like your Apple mail or some other mail service, which downloads messages even before it scans.
Suppose the email has effectively been downloaded before it scans, whether there’s an issue with this in those things. It gets installed even before you can follow up on it.
In this situation, it’s much more stressful because the client doesn’t know that he’s been attacked. It is absolutely impossible to prevent it. Since you are not doing anything on it, it gets incredibly tricky.
Deeper: How Does Pegasus Spyware Get Installed?
Nowadays, all apps have bugs. It’s a reality, and the more complex that software is, the more bugs there are. There are barometers where you can calculate the number of bugs versus the size of a specific software project.
Presently, most bugs are only a bother. You attempt to use a piece of programming to accomplish something, and it doesn’t exactly work, or when the information isn’t exactly what they expect. It doesn’t work in the manner aside from the UI has a glitch. They sort out and fix the next release, where they carry out an update.
However, there is a category of bugs that are very, very serious, and they are security-related bugs. Now, security-related issues exist everywhere. They exist in Android, and they exist in iOS, exist in Windows, exist in Linux, the existing Mac OS, exist in applications themselves, exist in-network services, and exist in the servers running all the server stuff we’re doing. They are everywhere.
They are serious because once you breach the security, you have unauthorized access. And, of course, pegasus is all about unauthorized access to gain access to things that they shouldn’t have access to.
Now, many companies handle these security issues seriously. For instance, Google launched a vulnerability reward program to find out a Chrome Android or the Play Store problem. Furthermore, shows that by utilizing the bug, you can sidestep some security systems. They’ll give you cash. They’ll pay you for your time.
Real expert analyzers invest their energy trying to break into Android and Chrome and into Amazon’s web services, into iOS and Windows stuff. Also, organizations like Amazon, Microsoft, and Google pay cash for the things they have cracked out.
Indeed, in 2020-2021, google paid out 7.1 million dollars to analyzers who had discovered diverse security blunders in Android Chrome.
The issue is there are more bugs and more errors. Some security analysts like those at NSO company do the examination, discover the bug, and afterward don’t tell Apple; they don’t tell Microsoft, they don’t tell Google; they save it for themselves.
Not only this, but the spyware NSO develops is incredibly advanced – “zero-clicks” attack vectors are NSO’s specialty. Their spyware can infect your phone simply by sending you a text. Protecting yourself from this malware isn’t a case of not opening suspicious emails or clicking dodgy links.
No, you can become a victim simply by receiving a malicious text message laden with nasty code known as a “zero-click” exploit, designated as such because it requires no user interaction to execute – the malware could then just delete the offending text so you’d have no idea you were ever targeted.
NSO packages vulnerabilities like these into a spyware tool called Pegasus. Once installed, Pegasus can listen to your device’s microphone, peep through the camera, retrieve saved files – meander through your messages, and so on. Do you think you’re secure because you use “Signal,” which employs fancy end-to-end encryption?
Not so fast; end-to-end encryption is irrelevant, mainly once Pegasus is installed on your device. But Seytonic, indeed, these hacks are only ever used on terrorists and criminals, right? Right? Well, the new leaks confirm Pegasus is often sold to countries of dubious moral standing.
The NSO Group has also been known to buy such bugs off people paying more than Google would pay, more than Apple would pay, and then keep that bug for themself. Now, Pegasus works using what’s called zero-day vulnerabilities.
What are Zero-Day Vulnerabilities?
Now, a zero-day vulnerability is a bug that a group like the NSO group knows about, people know about, but the authors don’t know about.
So, a bug that they know about that Google doesn’t know. Or they know about it, and Apple doesn’t know. It’s called a zero-day vulnerability. Because the vendor, the author of the software, has had exactly zero days in which it’s been able to tackle, address, and fix this particular problem.
Why zero days? Because they don’t know about it, it’s a hidden bug that some people know about, but the manufacturer, the OEM, the vendor, and the author don’t know anything about it.
Now, when you have a hidden bug that you’re able to exploit, first, we need to find a problem, then you need to exploit it. And then, using that exploit, you want to gain privileges and gain access that you can’t normally have.
That’s what Pegasus does.
It finds weaknesses in Android devices in iOS devices and then can worm its way into those devices. And then bypassing the standard security, bypassing the regular checks that Apple and Google have inside their operating systems. It’s able to secrete itself in there and then start its spying activities.
It will open up a network connection back to a server somewhere, passing back the photos passing back audio recordings. So the people running it can then see and hear what’s going on around the person that’s being targeted.
Everyone holds on again that I’m not looking at the politics of this. I’m not looking at the ethics of it or the morals of it. I’m just looking at the technology.
Now, for Pegasus to get onto a device, it needs. What’s known as an attack vector. There has to be a way in which the attack can be launched to target that device.
It’s an old method!
The most obvious method for starting the attack is via a link. so a link is sent via an SMS, an image, or a Whatsapp message. And then the user unbelievably clicks on it. Because they think it has to do with their banking or a credit card or something like that, delivery of a parcel even.
Then they click on it, and what happens takes them to a website that probably redirects them to somewhere more well-known, like their online bank or something. But in that first redirect, it actually started to download something onto their device. And then that payload its job was to start to exploit the zero-day vulnerability.
Unfortunately, there are some examples of technology they call zero-click exploits.
What is a Zero-Click Exploit? (Pegasus Spyware Using This Method)
Unfortunately, there are some examples of what they call where they’re actually able to target devices without the user doing anything, without even clicking on something.
Back in 2019, there were some errors on Facetime on the iPhone that allowed Pegasus to install itself just by initiating a call to that device. Apple did fix those errors. But there was a period as far as understanding about three months where Pegasus was able to install itself on devices. Then, the user had no idea. They didn’t even click on a suspicious link. It just happened!
Of course, that’s why we have this kind of cat-and-mouse game between Apple and Google. Then, the people like the NSO group are trying to find these exploits. And these vulnerabilities, and they’re always trying to do one better than the other.
Once Installed, What Can Pegasus Spyware Do?
Curiously, the Amnesty forensic team is looking at this pegasus in an information dump and that was being attacked. They say that it gives you more control or the attacker can control more on the device than the actual user itself.
Because an iPhone can go into the root files, it means it can transform anything. So it actually passed; it can see all that you are doing on the device without any exception. Its fully-fledged capabilities. It’s able to basically turn any smartphone, Android, or iOS into a full surveillance device.
That means it can look at the messages, it can record phone calls, record audio through the microphone, make a video, take photos, look at the photos that are already on the device, and so on.
It can even access location data now if you combine all those things. Basically, the person carrying the phone is basically taking whichever government it is, spying on them around with them everywhere they go, and showing them everything they are doing.
It can likewise transmit this data to the attacker. Also, your attacker gets your contacts, data logs, your emails, your files. Your attackers can peruse the whole of that.
Now, let’s see quickly how you might be able to protect yourself against malware like Pegasus.
How to know Pegasus Spyware is targeting you?
In this way, it’s incredibly challenging for people to know that they have been affected or targeted. And you will see that your smartphone is getting slow down. You probably won’t understand that it’s happening because of spyware.
Since a large portion of the devices get older, it will turn out to be slower. Furthermore, they do hang out on occasion. So you don’t imagine that it’s something malicious happening.
How much is the price of Pegasus?
Now, this kind of technology does not come cheap. If you want to license pegasus and you want to use it as a government. You need to pay millions of dollars, not even hundreds of thousands. Millions of dollars to get your hands on this tech.
Now, let’s see quickly how you might be able to protect yourself against malware like Pegasus.
How To Protect Yourself Against Pegasus?
Forestalling this attack particularly, in case it’s a zero-click attack, is extremely difficult in the previous point, which was in a spearfishing sort of a thing. It’s exceptionally conventional. Over time, users essentially have the kind of data that they need to ensure they have gotten extremely careful about clicking certain links or installing applications that they don’t confide in.
However, I will tell you from the beginning if you are being targeted by a government agency that has in its hand tools like pegasus or other devices that exist. Then there’s pretty much little chance you’ve got of protecting yourself. That’s just a fact. It might sound scary.
There are a few things that you can do.
1. The most drastic is to toss your smartphone in the bin if you are involved in any kind of activity that a regime or a government could target that you are somehow talking against or doing something against.
2. In the current situation, where you truly can not do anything all alone, the most you can do is to guarantee that you are utilizing the latest version of the operating system. And of all the applications on your phone. So, if this is a vulnerability that an Apple or a Google has effectively recognized, then you may have a patch to prevent it.
The Amnesty group also says that even in certain devices that had the most recent version of the operating system. Indeed, even they have been penetrated. Which means you truly can’t prevent it.
One caution or one prevention you need to take is to update your operating system at whatever point another update comes in. This applies to applications and, quite possibly, keeps them in an auto-update sort of mode.
3. Another thing you can do is you should not download any applications that shouldn’t be there on your device or are not being conveyed through your operating system. There are many users, particularly androids, who tend to download applications that can be extremely risky.
4. A critical tip that a tech specialist advised me is to quit using the applications. So, if you don’t trust a specific kind of application, quit using it. Use the same thing through the web version on the browser. You can do that with many things. For example, don’t use the Facebook application. Simply use the web browser. It is incredibly inconvenient. But it will help you a little bit.
5. You can help if you do not click on any suspicious links. If you are never tempted, don’t look at it if there’s even a little doubt in your mind. But why did you suddenly get that message? For what reason would they be sending that message about this parcel that hasn’t been delivered? Or, then again, the same thing to do with your bank. You knew nothing about that; don’t click on it.
Whatever you do, don’t click. Just delete the message. If it’s essential, you will get contacted another way by phone, by letter, or do not click on the link. Clicking on links is the most significant way that malware gets onto our devices.
6. It’s additionally worth bringing up if you are utilizing an Android phone or an iPhone. That has been jailbroken. FireStick doesn’t download third-party applications since you have the foggiest idea of what you’re getting.
They may say, oh, this is just a mirror of, you know, angry birds. But it’s not. It’s actually a version of Angry Birds with something else built into it.
You have no assurance and no chance of checking what you’re clicking on. Are you sure what you are downloading is the certified thing? It’s most probable that it has some sort of malware in it. In the worst-case scenario, it might have something as refined as a pegasus in it.
7. Another thing, of course, you can do is leave your smartphone at home when you go out. So that way if you do go to meet somebody. If you do go to a meeting, if you do get involved in something, they cannot track what you’re doing from your smartphone. Because it isn’t with you, it’s not being carried on your person.
8. We do things like turn off the camera, and there’s a very famous video by Edward Snowden showing how you can literally just take the camera out of a smartphone. So therefore, if it ever does get infected. It can’t use that particular thing. However, that in itself is not full protection because other things like your calls and emails are also still exposed when using Pegasus.
9. The last thing to mention is if you are an iPhone user. Don’t rest in a kind of complacency, thinking that the iPhone is more secure than Android. It’s not. The Chinese government was using iPhones to target specific ethnic groups in China for the same thing, for spying and to see what they were up to.